Getting started with Microsoft ISA Server 2006, Part 7: Create DNS Lookup Rule

Create DNS Lookup Rule

From Part 6: Configure Network Layout, you have configured network environment of the ISA Server 2006. Now let’s create some access rules on ISA Server 2006. On this example, I have internal and external DNS servers as I have shown the network diagram in Part 2: Environment Setup. The internal DNS server should work fine since it is on the same network with clients – the Internal network. But the external DNS servers (or my ISP’s DNS servers) are on the external network. And currently, ISA Server 2006 blocks all network access so clients from the internal network cannot request any DNS look up from the external DNS servers. This would be a problem if some clients want to use the Internet. Therefore, I will create an access rule to allow DNS look up for clients on the internal network to the external DNS servers. The external DNS servers are 203.144.255.71 and 203.144.255.72.

Step-by-step

1. On ISA Server Management, open Firewall Policy by expand Arrays -> BKKISA001 -> Firewall Policy (BKKISA001).
   
2. Create a new access rule by click on Tasks tab -> Create Access Rule.
   
3. On Welcome to the New Access Rule Wizard, type the access rule name. On this example, I type “Allow DNS Lookup” and click Next.
   
4. On Rule Action, you can select allow or deny on this rule. Select Allow and click Next.
   
5. On Protocols, you can select the protocols this rule applied to.
   • Choose Select protocols from a drop down menu and click Add.
     
   • On Add Protocols, expand Common Protocols and double-click on DNS. Click Close.
     
   • Back to Protocols, now the DNS protocol is added to the rule. Click Next.
     
6. On Access Rule Sources, you can specify source networks for this rule.
   • Click Add.
     
   • On Add Network Entities, expand Networks and double-click on Internal. Click Close.
     
   • Back to Access Rule Sources, now the Internal network is added as access rule source. Click Next.
     
7. On Access Rule Destination, you can specify destination networks for this rule.
   • Click Add.
     
   • On Add Network Entities, click on New -> Address Range.
     
   • On New Address Range Rule Element, type the name and specify the IP address range. On this example, I name it as “External DNS Addresses” and the IP address range is 203.144.255.71 to 203.144.255.72. Click OK.
     
   • Back to Add Network Entities, there is a new address range that I have just created so double-click on it to add to the rule and click Close.
     
   • Back to Access Rule Destination, now the “External DNS Addresses” is added to the rule as access rule destination. Click Next.
     
8. On User Sets, you can specify the user sets for the rule. On this example, I leave it as All Users and click Next.
   
9. On Completing the New Access Rule Wizard, click Finish.
   
10. To save changes that you have made, you must click on Apply.
    
11. On Saving Configuration Changes, click OK.
    
12. Now you have completed create an access rule to allow DNS look up from internal network to the external DNS server.
    

What’s Next?

You have created your first access rule for DNS look up. Now clients will be able to resolve name on the Internet. But there is no access rule for Internet access yet. So next, I will create another access rule for clients to access the Internet.